In what the Office of Inadequate Security (OIS) calls a "somewhat incomplete and unsatisfactory... notification letter", Coca Cola is warning some 74,000 current and former employees and other individuals that their personal information may have been compromised. "The letter, signed by their CIO, Tom Miller, does not indicate when the laptops were stolen, how many were stolen, or the circumstances under which they were stolen. Nor does the letter disclose how many employees had data on the laptops and whether the data on the laptops were encrypted (or if not, why not)," writes OIS.
Apart from saying that Coca-Cola is arranging free credit monitoring for the victims, all the letter says about the incident is that it was discovered on December 10, 2013; that several laptops had been stolen; and that the company is "engaged with the appropriate law enforcement in this matter." Plus, of course, the company takes "very seriously the security of information on employees and other individuals," and "We deeply regret this incident occurred."
The Wall Street Journal, however, provides a bit more detail. "Coke spokeswoman Ann Moore," it reports, "said the laptops were stolen by a former employee who had been assigned to maintain or dispose of equipment. She didn't identify the person or say whether that person was an employee when the laptops were transferred."
The company claims to have now regained possession of the laptops, and says it has no evidence that any of the personal data has been misused. Nevertheless, reports WSJ, "The beverage giant told its U.S. and Canadian employees the data on the laptops, which wasn't encrypted, included names, Social Security numbers and addresses, as well as details like financial compensation and ethnicity."
In an apparent contradiction, WSJ notes, "Coke said company policy requires laptops to be encrypted, but the stolen computers hadn't yet been encrypted." However, it also implies that the laptops had reached the end of their life, still unencrypted. "The laptops had been assigned to employees who maintained such information for its human resources operation. The laptops were turned over to the former employee to dispose of or recycle [but who instead, stole them], according to Ms. Moore."
The implication is that Coca-Cola was not sufficiently monitoring personal data, nor adequately enforcing its policies – something that is not lost on the security industry. "Being aware that your information is at risk and ensuring that it is properly secured is not paranoia: it is instead sensible behavior in the information age," explains Chris McIntosh, CEO of ViaSat UK. "Organizations need to be sure they have a firm grasp on their data, know where and when it has been copied or transferred, and ensure that techniques such as encryption are in place in case it falls into the wrong hands.”
The incident is precisely of the type that should be prevented by data loss prevention technologies. Kevin Bailey, head of marketing strategy at Clearswift, explains: "This type of incident shows why a layered security approach to all endpoints is essential," he told Infosecurity. "Policy enforcement that is bypassed for security features such as encryption, needs to be overlaid via an automated data protection offering, where movement of the data from the device is controlled via DLP policies that cannot be overridden or bypassed. Advanced DLP... would not only quarantine the information if it was attempted to be extracted via a USB or other network, but would physically redact the sensitive data so the lost PC would never freely make the sensitive content visible for unintentional use."